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ELIGIBLE RECEIVER Program 

• ELIGIBLE RECEIVER 

- An exercise series 

- Directed by the Chairman of the Joint Chiefs of Staff 

- Designed to test DOD pianning and crisis-action capabiiities 

• ELIGIBLE RECEIVER 97: Conducted 9-13 June 1997 

- First iarge-scale exercise designed to test our ability to respond 
to an attack on our information infrastructure 

- Also evaluated ability to work with other branches of 
government to respond to an attack on Nationai infrastructure 

ELIGIBLE RECEIVER 97 revealed: 

— 

- Significant vuinerabiiitias in US Defense Information Systems 

- Deficiencies in responding to a coordinated attack on National 
infrastructure and information systems 
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ELIGIBLE RECEIVER 97 Participants 


• Department of Defense 

• The Joint Staff 

• Military Services 

• Combatant Commands 

- us Atlantic Command 

- US Pacific Command 

- US Space Command 

- US Special Operations 
Command 

- US Transportation 
Command 

• National Security Agency 

• Defense Information 
Systems Agency 
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• National Security Councii 

• Department of State 

• Department of Justice 

• Department of 
Transportation 

• Defense Intelligence 
Agency 

• Central Intelligence 
Agency 

• Federal Bureau of 
Investigation 

• National Reconnaissance 
Office 
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Attack Phases 

■ ■■■■■III 

* Phase I: National Infrastructure Attack (Simulated) 

- Against portions of national infrastructure (power and 
communications systems) 

- Designed to cause public pressure for action 

- Simuiated, but based on assessed vulnerabilities 

* Phase II: Defense Information Attack (Actual) 

- Targeted key Defense information systems 

- Actually intruded into many computer systems 

- Exploited actual vulnerabilities of our system 
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Power and Telecom Attack 


Regional, coordinated attacks 

• Power systems 

• Telephone (911 system) 

Simulated, but based on 
assessment of actual vulnerability 


^Detroit 

Chicago . 

^^Norfolk 




Oahu 


Los An 



Colorado gt Loui 
Springs 



• SCADA* systems provided entry tor 
(simulated) 

cyber attacks on power systems 

• Overloading phone systems disrupted 
communications 

• Public sources provided the knowledge 


Fayetteville 

^^ampa 


*Supervisory Control and Data Acquisition 
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Computer Network Attack Plan 


PRIORITY TARGETS 

* National Military Command 
Center 

* Combatant Commands 

- Pacific Command 

- Space Command 

- Transportation 
Command 

- Speciai Ops Command 

* Defense Logistics Agency 


TYPES OF ATTACK 

• Intruded into Computer Systems 
‘ Denied Service 
‘ Changed Data 
‘ Removed Data 

> Interrupted E-mail 

> Disrupted phone service 


All attacks used commonly available “hacker” tools 
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ELIGIBLE RECEIVER 97- Key Observations 


O Defense and National Information Infrastructures are highly 
interdependent 

O National decision-making structure and coordination processes 
are unresponsive to speed of attacks 

e No structure or process exists to coordinate DoD defense 

- No ability to interface with rest of US government, allies and 
private sector 

O “Indications and Warning” process is inadequate 

@ Little capability exists to detect or assess cyber attacks 

© Characterization and attribution of attacks is very difficult 

O Many legal questions must be addressed 

© Poor information / operational security practices contributed to 
vuinerabilities 



CL BY: Brig Gen Bruce A. Wright; REASON: 1.5(a); DECL ON 11 DEC, 2006 


Page 7 


UNULASSIhlbU 











UNCLASSIFIED 



An Actual Attack on DOD Computer Systems 
occurred during February 1998 


Code Name: 

SOLAR SUNRISE 
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* SOLAR SUNRISE incident occurred from 

1 to 26 February 1998 

- DOD computer systems were systematically attacked 

* Attack pattern indicative of preparation for a coordinated 
attack on Defense Information Infrastructure 
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SOIAR SUNRISE - Attack Profile 

• Attacks targeted DOD network Domain Name Servers 

• Exploited well-known vulnerability \n 

Solaris Operating System 

• Attack profile 

1 - Probe to determine if vuinerability exists in server 

2 - Exploit vulnerability to enter computer 

3 - Implant program to gather data 

4 - Return iater to retrieve collected data 

• Numerous attacks followed same profile 
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• Origin • Probe •Compromise 

CL BY: Brig Gen Bruce A. Wright; REASON: 1.5(a); DECL ON 11 DEC, 2006 Page 11 













































































UNCLASSIFIED 


The Basis of Our Concern 

* Attacks were widespread and appeared to be 
coordinated 

* Attacks targeted key parts of defense networks 

* Attackers attained many network passwords 

* Could not characterize or attribute attacks 

- Pofenf/a/connection with impending operations in Guif? 

* Key support systems depend on unclassified network 

- Global Transportation System 

- Defense Finance System 

- Medical, personnel, logistics 

- Official unclassified e-mail 



CL BY: Brig Gen Bruce A. Wright; REASON: 1.5(a); DECL ON 11 DEC, 2006 


Page 12 


UNCLASSIFIED 









UNCLASSIFIED 


Characterization 

■ ■■■■■■III 


* Important to establish intent 

- Worst-case: coordinated strategic attack 

* Coordinated with Gulf activities? 

* Possible preparation for Information attack 

- Possibie: terrorists, criminais 

* No intelligence information to support 

- Mostiikeiy: “Hackers” 

* Some characteristics of hacker games 

* No damaging exploitation of systems or data 

* Forensic analysis heips, but slow and 
resource-intensive 
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Attribution Challenges 


Impossible to attribute Intrusions 

- Multiple-node paths hide origin 

- Legal restrictions hindered search 


N 

\\ 


Cloverdalo^ 



College Statloi 
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DOD Defensive Actions 



• Increase DOD awareness: 24-hour watch 


• Identify and patch systems at risk 

• Install intrusion detection systems on key nodes 

• Analyze data to assess attacks and develop leads 

• Dispatch Emergency Response Teams to hottest sites to assist 
fixes 

• Assess status of systems; fix and begin cieanup 

• Form Red Team to reverse engineer attacks 

• Plan for degradation/loss of network 

• Share data with private sector 

• Team with taw enforcement agencies 

UNCLASSIFIED 

CL BY: Brig Gen Bruce A. Wright; REASON: 1.5(a); DECL ON 11 DEC, 2006 Page 15 








UNCLASSIFIED 



• Confirmed EL/G/BLE/7ECE/V^E/7 findings 

- Legal issues remain unresolved 

- No effective Indications and Warning system 

- Intrusion detection systems insufficient 

- DOD and Government organizational deficiencies hinder ability 
to react effectively 

- Characterization and attribution problems remain 

• Need to establish standing response team 

* Increased detection capability forces new choices 

* High interest, high visibiiity issue 

- Increases pressure for an quick response 
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The *^ENEMY” 




• On 26 Feb, FBI served warrants on the attackers: 
two 16 year old boys in California 

• Tools were only moderately sophisticated 

• May have been tutored by foreign mentor 

(Note: On 18 March, Israeli police in Jerusalem arrested “The 
Anaylzer” ior his roie in DOD intrusions) 

• Hacker 1: *We did it for the power” 

What can determined and sophisticated attackers do? 
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BACKUP 
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SECURITY 


This document is from the holdings of: 

The National Security Archive 

Suite 701, Gelman Library, The George Washington University 
2130 H Street, NW, Washington, D.C., 20037 
Phone: 202/994-7000, Fax: 202/994-7005, nsarchiv@gwu.edu 



